From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id GADJDw2LYmXbAwAAauVa8A:P1 (envelope-from ) for ; Sun, 26 Nov 2023 01:02:21 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id GADJDw2LYmXbAwAAauVa8A (envelope-from ) for ; Sun, 26 Nov 2023 01:02:21 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 161552445D for ; Sun, 26 Nov 2023 01:02:20 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=systemreboot.net header.s=default header.b=ijJ6OM2e; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=systemreboot.net (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1700956941; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ydJi5/bRUFkH1mcWB8EhiSYMtoBMcRExdGqhs9TaPU0=; b=YLO6RZQD8gqImkFslBkdOPDwY883Kn3lhf/aO8GrHQarzyXjfFnyiCz7IERHwxjL4C6l2L G1GVeP1n7iXey6xs4Y/qInw0EdJmxQIsvpqJeIpvMfW35CtGAwdXbmJJLAvqLOphNn5Clp /bj0A2FXkOlAvvPZQyoPrEu83ojywBoYt8RsOLZ8vlTTbb7Qqju8FIVB10POGDeNmN6xo+ 3OYqvCAICWFOVZQmhzYxVDu2ngDnaNHQnAWuWKZAGGCRMWK2ihCNF7HJ5NP3IyJdgGIfRG kfP/0iyh/aTxcpVXxH+EzDdcnriBTy7nH/Gh5Ly4KrjfcctUXOA19OIO3nh4AA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=systemreboot.net header.s=default header.b=ijJ6OM2e; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=systemreboot.net (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1700956941; a=rsa-sha256; cv=none; b=T0/khoUX/zoim525ZcU+5xwix0uYfibdWKZ2Ugeu0UdyiUMi+eDoY9xW+AQp7pwljjBtXD yAtkLfhDsI0QWI3MQm8vDM9TC9LW7FT2Chm0TQVO5oeXFZHWwLjgQiAnJAwCRgX8Y9sAtH 11lRqte7rD3RtI9JXRQXgweyWIodV1BmT+Vhzl/ylguD0Efo8DTPvgYOFFAmjXX1BgADA2 3zKLeDpaPQWpoabxm0OE4Aj7BaIHPZ9xwPD50wMSf56ARtX8edpB+A+mlNKSNH6k1ouhE8 s3JKFfWvu6crs6umVFjKpZh473UaArYxolrYPX3H66kexFGHlLYtcO86NIdoVg== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1r72b2-0006X5-Ex; Sat, 25 Nov 2023 19:02:00 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r72az-0006Wv-74 for guix-patches@gnu.org; Sat, 25 Nov 2023 19:01:58 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1r72ay-0003ew-UR for guix-patches@gnu.org; Sat, 25 Nov 2023 19:01:56 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1r72b4-0002vs-0e for guix-patches@gnu.org; Sat, 25 Nov 2023 19:02:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#67288] [PATCH] services: laminar: Add configuration option for supplementary groups Resent-From: Arun Isaac Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 26 Nov 2023 00:02:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= , "Thompson, David" Cc: Christopher Baines , 67288@debbugs.gnu.org Received: via spool by 67288-submit@debbugs.gnu.org id=B67288.170095686311195 (code B ref 67288); Sun, 26 Nov 2023 00:02:01 +0000 Received: (at 67288) by debbugs.gnu.org; 26 Nov 2023 00:01:03 +0000 Received: from localhost ([127.0.0.1]:40473 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r72a6-0002uU-IO for submit@debbugs.gnu.org; Sat, 25 Nov 2023 19:01:02 -0500 Received: from mugam.systemreboot.net ([139.59.75.54]:59292) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r72a3-0002tw-22 for 67288@debbugs.gnu.org; Sat, 25 Nov 2023 19:01:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ydJi5/bRUFkH1mcWB8EhiSYMtoBMcRExdGqhs9TaPU0=; b=ijJ6OM2ej6iv4RRA6efMbtvqti Uhye25HPthP3d5QX6hljdg0GTijdyO5kiOtC0XPMlm4VyjhD1wArPlqom0f9FCSu/6n8t+wIUJGGv VUD5GT7Onr5Saxm6Db9VCM2ygAGBrl08GPtsp8RUeL+dZ8mp4CcJBoMHEfrS1T4XRYM/3BQa5/JcW qZBBg+9VU8J53yts/bmV+Xrs6nxUbDhXRHBx8LWAsFE1aK6tqJbQiAQph1TgPuGBaARiF2ItHa6R/ yLd7U1C3omIzRWM43aihRdWwGlLoNq66LWEThplebo/dShllxs6CjuzmjUTgt2u/bbN1YeKcgs3He IRyf92BA==; Received: from [192.168.2.1] (port=51708 helo=localhost) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1r72Zm-00236Z-2F; Sun, 26 Nov 2023 00:00:43 +0000 From: Arun Isaac In-Reply-To: <87leal4zz1.fsf@gnu.org> References: <87leal4zz1.fsf@gnu.org> Date: Sun, 26 Nov 2023 00:00:23 +0000 Message-ID: <87il5pcrjc.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.03 X-Spam-Score: -2.03 X-Migadu-Queue-Id: 161552445D X-Migadu-Scanner: mx10.migadu.com X-TUID: RK6hympduKpC Hi, >> I started using Laminar CI for my personal server, but I had trouble >> with the current system service. My server is configured to only allow >> members of the "git" group access to the Git repositories, so the CI >> job running as the "laminar" user couldn't do anything useful. This >> patch adds a new configuration field for a list of supplementary >> groups to be used for the "laminar" user and the service process. > > Cc=E2=80=99ing Arun and Chris, who know better than me. Is this a proble= m they > worked around so far? This kind of problem requiring supplementary groups exists with many of our services, not just the laminar service. I don't run into trouble with the laminar service because git repos on my servers are usually publicly readable by all users (including the laminar user). To provide another example, I have similar trouble with our nginx service not being able to access Unix sockets created by our fcgiwrap service. Now, I work around this by having a special fcgiwrap service in guix-forge[1]. This special guix-forge fcgiwrap service differs from the guix fcgiwrap service in that it creates separate fcgiwrap instances for each web application each with its own explicitly specified permissions. [1]: https://git.systemreboot.net/guix-forge/tree/guix/forge/fcgiwrap.scm I don't think the solution to this problem is to add a `supplementary-groups' field to all our services. I'm not sure how, but we need to compose things better. If we don't, we may find we need to add some other field in the future and quickly be in a combinatorial explosion. Thinking out loud, the Guix service configuration system is really a propagator network. So, maybe, the solution is to allow one service to *extend* another service by specifying what supplementary groups it should be a part of. This is more flexible than simply adding a configuration field. Sorry to be quite vague here. Does this make any sense? Happy to chat more. Regards, Arun